Content deleted Content added
Laura240406 (talk | contribs) |
|||
Line 34:
The [[network stack]] also makes heavy use of randomization to increase security and reduce the predictability of various values that may be of use to an attacker, including [[Transmission Control Protocol|TCP]] initial sequence numbers and timestamps, and ephemeral source ports.<ref>{{Cite web|url=http://www.securityfocus.com/columnists/361|title=OpenBSD's network stack|last=Biancuzzi|first=Federico|date=October 12, 2005|publisher=[[SecurityFocus]]|access-date=December 10, 2005}}</ref> A number of features to increase network resilience and availability, including countermeasures for problems with [[Internet Control Message Protocol|ICMP]] and software for redundancy, such as [[Common Address Redundancy Protocol|CARP]] and [[pfsync]], are also included. The project was the first to disable the plain-text [[telnet]] daemon in favor of the encrypted [[Secure shell|SSH]] daemon, in 1999,<ref>{{cite web |date=10 April 1999 |first1=Theo |last1=de Raadt |author-link1=Theo de Raadt |title=disable telnet/ftp/login by default, for now |url=http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/Attic/inetd.conf?rev=1.32&content-type=text/x-cvsweb-markup|work=OpenBSD}}</ref> and features other integrated cryptographic software such as [[IPsec]]. The telnet daemon was completely removed from OpenBSD in 2005<ref>{{cite web |url=http://marc.info/?l=openbsd-cvs&m=111700017509177&w=2 |quote=Removed files: libexec/telnetd |title=CVS: cvs.openbsd.org: src |first1=Theo |last1=de Raadt |author-link1= Theo de Raadt |website=OpenBSD-CVS mailing list |date=25 May 2005}}</ref> before the release of OpenBSD version 3.8.
===Signify===
{{Main|Signify (OpenBSD)}}
The OpenBSD project had invented their own utility for cryptographic signing and verification of files, <code>signify</code>,<ref name="BSDCan 2015 signify paper">{{cite web |last1=Unangst |first1=Ted |title=signify: Securing OpenBSD From Us To You |url=https://www.openbsd.org/papers/bsdcan-signify.html |website=www.openbsd.org |publisher=BSDCan 2015 (June), Ottawa, Canada |access-date=12 July 2022 |ref=bsdcan-signify}}</ref> instead of using existing standards and software such as [[OpenPGP]] and [[GNU Privacy Guard|GnuPG]]. The creator of the <code>signify</code> utility, Ted Unangst, wrote in 2015, speaking of [[OpenPGP]] and [[GNU Privacy Guard|GnuPG]]: ''"The concerns I had using an existing tool were complexity, quality, and complexity."''<ref name="BSDCan 2015 signify paper" /> This is in line with the project's longtime tendency to reduce complexity, and [[Vulnerability (computing)#Causes|in turn, reduce the probability of vulnerabilities]] existing in the software, and help the user understand the software better and make more security-educated decisions. <code>signify</code> is integrated into the base operating system and used for verification of all releases, patches, and packages starting with OpenBSD 5.5.<ref>{{cite web |title=OpenBSD 5.5 |url=https://www.openbsd.org/55.html |website=www.openbsd.org |access-date=12 July 2022}}</ref><ref>{{cite web |title=OpenBSD: Innovations |url=https://www.openbsd.org/innovations.html |website=www.openbsd.org |ref=innovations}}</ref> In contrast, other [[Free Software]] operating systems and security-focused software tend to use [[OpenPGP]] for release verification, and as of 2022 continue to do so, including: [[Debian]], a prominent operating system that's also used as a base for other operating systems, including [[Ubuntu]];<ref>{{cite web |title=Verifying authenticity of Debian images |url=https://www.debian.org/CD/verify |website=www.debian.org |access-date=12 July 2022}}</ref> [[Kali Linux]], a specialized operating system for [[penetration testing]], security research, [[digital forensics]], and [[Reverse engineering#Software|reverse engineering]];<ref>{{cite web |title=Download Kali Linux Images Securely {{!}} Kali Linux Documentation |url=https://www.kali.org/docs/introduction/download-images-securely/ |website=Kali Linux |access-date=12 July 2022 |language=English}}</ref> [[Qubes OS]], a security-focused operating system;<ref>{{cite web |title=Verifying signatures |url=https://www.qubes-os.org/security/verifying-signatures/ |website=Qubes OS |access-date=12 July 2022 |language=en}}</ref> [[Tor Browser]], an anonymous Web browser;<ref>{{cite web |title=How can I verify Tor Browser's signature? {{!}} Tor Project {{!}} Support |url=https://support.torproject.org/tbb/how-to-verify-signature/ |website=support.torproject.org |access-date=12 July 2022}}</ref> [[SecureDrop]], a software package for journalists and whistleblowers to exchange information securely and anonymously over the Internet;<ref>{{cite web |title=Share and accept documents securely |url=https://securedrop.org/ |website=SecureDrop |publisher=Freedom of the Press Foundation |access-date=12 July 2022 |language=en}}</ref> and [[VeraCrypt]], a software program for [[on-the-fly encryption]] and [[full disk encryption]].<ref>{{cite web |title=VeraCrypt - Free Open source disk encryption with strong security for the Paranoid |url=https://veracrypt.fr/en/Digital%20Signatures.html |website=veracrypt.fr |publisher=IDRIX |access-date=12 July 2022}}</ref>
| |||